Fileless Malware: A Step-by-Step Guide to Remove and Prevent It!

Fileless Malware: A Step-by-Step Guide to Remove and Prevent It!

Yes, we get it. The term “fileless” is really confusing. Without any file? Without any source!? What? But what it actually refers to is malicious code that subsists only in the memory of the target, instead of installing the malware in the hard drive of the target computer.

SAM IT Solutions made it easy to understand exactly what Fileless malware is – please refer to the previous blog which will make it easy to understand the following points:

What is Fileless Malware?

The process of Fileless malware

How it is different from other malware?

Most importantly, why is it difficult to detect?

The below guide is especially helpful with attacks such as WannaMine and Mimikatz. Let’s get started!

2. Download Microsoft Safety Scanner (as this is the anti-virus/anti-malware that has had the most success in detecting/removing it) and run a Quick Scan. If a Quick Scan does not find/remove it, run a Full Scan. Even if a Full Scan is able to find and remove it, let’s continue on to the next steps to see if anything else might be lurking.

5. Next, disable PowerShell v2 as this can be used to bypass what we just set up, without even having to use administrative privileges. Run PowerShell as administrator and execute the following command:

7. Open an elevated PowerShell (Run as Administrator) and change directory into the folder that WMILister was downloaded into:

Example:

cd C:\users\example\Downloads

Now execute the following command to perform the search:

cscript //nologo WMILister.vbs &gt;&gt; WMILog.txt

8. After a couple minutes, a WMILog.txt file containing a list of bad scripts found will be fully generated in the same directory that WMILister.vbs exists.

9. At the bottom of the file, pre-generated commands will be listed to remove the found scripts. Copy these commands and run them in the elevated PowerShell prompt.

10. Restart the machine one more time and you’re done!

Credit for WMILister goes to, to the best of my knowledge, JamesR over at ESET!

If you find yourself dealing with one of these pesky malware, and are unable to remove, feel free to reach out to team of cybersecurity experts at SAM IT Solutions. We are just a phone call (or e-mail) away. You can reach us at +1-919-800-0044 or by email at info@samitsolutions.com